Re: Simple XML drilldown link search won't recogni...

flegel2 · ‎06-15-2016

I have a dashboard panel with a table. I am able to change the drilldown search when selecting a row in the panel table to open a new window with the new search:

        <search>
          <query>index=$Environment$ ( program=*shot_director OR program=cryo_director* ) shot_Id=$shotIdPattern$ "Commanded|GoToState" | sort _time | table _time,program,shot_Id,slc_State</query>
          <earliest>$shotEarliest$</earliest>
        </search>
        <drilldown>
          <link target="_blank">
            /app/search/search?q=search index=$Environment$ "&lt;macro_step_complete&gt;" "Execution of Macro Step " shot_id=$shotIdPattern$ | eval subsystem=shot_supervisor | sort -_time 
          </link>
        </drilldown>

but when I add the regex

| rex field=taxon (?<ss>[^|]*)[|]

creating

            /app/search/search?q=search index=$Environment$ "&lt;macro_step_complete&gt;" "Execution of Macro Step " shot_id=$shotIdPattern$ | rex field=taxon (?&lt;ss&gt;[^|]*)[|] | eval subsystem=shot_supervisor | sort -_time

the search window created results in:

index=iccs_int "<macro_step_complete>" "Execution of Macro Step " shot_id=N160613-003* | rex field=taxon (

in the search box and the error

Error in 'rex' command: Encountered the following error while compiling the regex '(': Regex: missing )

It seems the "?" in the regex is being consumed before it is being sent to the search app.

Any ideas?

Thanks in advance!

manikyasandeepg · ‎06-21-2018

Is it working for you now? I have the same issue.

wilsonite · ‎09-11-2018

Every "?" in the search string must be replaced with %3F. The only exception is if you are editing .XML dashboard. In which, you will replace all except for the first one at the beginning of the link section.

<link target="_blank">search?q=

All other ?s must be changed to %3F whether in the extraction, or when escaped out in matching text.

vsingla1 · ‎03-10-2017

@flegel2 I fixed it by placing the ASCII value of ? in the query. Its ASCII value is %3F

woodcock · ‎06-15-2016

The rex string needs to be in double-quotes like this:

 | rex field=taxon "(?<ss>[^|]*)[|]"

flegel2 · ‎06-15-2016

The quotes has no effect on the results.

rrovers · ‎07-20-2018

if you save your search as a 'saved search' and call the drilldown as a link target in your dashboard the rex should work.
so:
dashboard:
search?q=|savedsearch [name of savedsearch]
If you've used arguments in your saved search you should als use them in the link of course.
Saved search:
Here you can use the rex syntax as usualy.

wilsonite · ‎09-11-2018

This solution works correctly as well.

sundareshr · ‎06-15-2016

Try using CDATA, like this

<link>
<![CDATA[
  /app/search/search?q=search index=$Environment$ "<macro_step_complete>" "Execution of Macro Step " shot_id=$shotIdPattern$ | rex field=taxon (?<ss>[^|]*)[|] | eval subsystem=shot_supervisor | sort -_time 
]]>
</link>

flegel2 · ‎06-15-2016

Using CDATA has no effect on the results.

Simple XML drilldown link search won't recognize regex or rex

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

Simple XML drilldown link search won't recognize regex or rex

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR